CVE-2019-16178

EPSS 0.34%
Veröffentlicht 09.09.2019 21:15:11
Zuletzt bearbeitet 21.11.2024 04:30:12
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

A stored cross-site scripting (XSS) vulnerability was found in Limesurvey before 3.17.14 that allows authenticated users with correct permissions to inject arbitrary web script or HTML via titles of admin box buttons on the home page.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Limesurvey ≫ Limesurvey Version < 3.17.14

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.34%	0.534

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.4	2.3	2.7	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	3.5	6.8	2.9	AV:N/AC:M/Au:S/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://www.limesurvey.org/limesurvey-updates/2188-limesurvey-3-17-14-build-190902-released

Third Party Advisory

Release Notes

https://github.com/LimeSurvey/LimeSurvey/commit/5870fd1037058bc4e43cccf893b576c72293371e#diff-d539f3f8185667ee48db78e1bf65a3b4R39

Patch

Third Party Advisory

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2019-16178

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2019-16178

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2019-16178

EUVD